Before attacking, most sophisticated attackers run automated scanner tools to map your API — probing for hidden endpoints, old admin panels, common misconfigurations, and known CVEs. A scan is the digital equivalent of a burglar walking around your building checking every window and door handle before choosing how to break in.
Think of it this way
A burglar does not walk up to the front door and kick it in. First, they walk around the building at night, checking: is this window unlocked? Is that door alarmed? Is there a back entrance no one is watching? Automated scanning is exactly this preparation phase — the attacker is building a map of your weaknesses.
Tools like Nuclei, sqlmap, nikto, and dirsearch send thousands of requests to your server, probing paths like /.env, /wp-admin, /api/v1/debug, /actuator/health, and injecting payloads into parameters looking for error messages that reveal technology stack or vulnerabilities. The scanner collects everything — error codes, response sizes, headers — and the attacker reviews the results to plan a targeted attack.
Scenario 1
An attacker runs a 20-minute scan against your API, discovering that /api/v1/admin/users returns a 403 (exists but forbidden) and /api/v2/debug returns a stack trace with database credentials visible. They use this information to craft a targeted exploit.
Scenario 2
A criminal group scans thousands of companies simultaneously, cataloguing which ones are running vulnerable versions of popular software. They sell these target lists to other attackers.
Anomira detects scans through high 404 error rates from a single IP (probing non-existent paths), requests to well-known attack paths (/.env, /phpmyadmin, /wp-admin), and scanner User-Agent strings from tools like nikto, sqlmap, and dirsearch.
See this attack in your live API traffic
Anomira detects automated scanner / reconnaissance automatically — no configuration needed.